ExpressForwarder™

ExpressForwarder™

1.0 Introduction

The Securolytics ExpresForwarder™ is a simple, easy-to-use tool designed to forward Microsoft Windows DHCP, DNS and Active Directory logs to Securolytics.  Just download and install the ExpressForwarder™ on each of your Windows DHCP, DNS and Active Directory servers.
  1. The lightweight forwarder only reads the Windows logs.
  2. Logs are compressed and encrypted before being sent to Securolytics.
  3. You can easily uninstall the ExpressForwarder™ at anytime.

2.0 Installation

2.1 Download

Download the latest version of the ExpressForwarder™ using the link below.
File Size: 10,944,512 Bytes
MD5: B7D1C5F82467B963FFB063BA49A939A9

2.2 Install

You must launch the ExpressForwarder™ install from a Command Prompt.
  1. Open a Windows Command Prompt window as Administrator.
  2. Navigate to the directory with the ExpressForwarder™ install file. (ClientServiceInstaller.msi)
  3. Type ClientServiceInstaller.msi and hit Enter.

 
  1. When the installation begins, simply follow the UI prompts.
  2. During the installation, you will be prompted to enter your API Keys.  These keys can be found in the Securolytics UI by navigating to IoT Security > Configuration.
  3. If your installation is successful, the ExpressForwarder will report "Services registered successfully" and "Services started successfully".  A server reboot is not required.  If you do not receive these success messages or if an error is returned, please contact Securolytics Support or your Authorized Securolytics Partner.



3.0 Uninstall

The Securolytics ExpresForwarder™ can be completely uninstalled by using the Microsoft Windows built-in "Programs and Features" utility.  Navigate to Control Panel > Programs > Programs and Features.  Select the "ExpressForwarder" and then click "Uninstall".

4.0 Frequently Asked Questions (FAQs)

► Where does the ExpressForwarder™ get installed?
By default, the ExpressForwarder™ files are installed in C:\Program Files (x86)\ExpressForwarder\.  The installation path can be modified during the installation if needed.  Trouleshooting data is installed in C:\ProgramData\ExpressForwarder.

► Does the ExpressForwarder™ run as a Windows service?
Yes.  In fact, the ExpressForwarder installs (2) services:
  1. AD-ExpressForwarder.exe (Collects Active Directory logs)
  2. ExpressForwarder.exe (Collects DHCP and DNS logs)

► How much memory does the ExpressForwarder™ need?
Approximately 10MB for both services together.  This is 0.06% of the total memory on a server with 16GB of memory installed.

► What event logging level is required for the ExpressForwarder™?
During the ExpressForwarder™ installation, the recommended logging levels will be set for Microsoft DHCP and Microsoft DNS servers.  No changes to the default Active Directory logging are required.  An example of the recommended DHCP and DNS logging configuration is below.

      DHCP
      The ExpressForwarder™ reads the DHCP audit log from the default path at C:\Windows\system32\dhcp\.
     

      DNS
      The ExpressForwarder™ reads the DNS audit log from the default path at C:\windows\system32\dns\.
     

► What firewall rules are required for the ExpressForwarder™ to operate?
The ExpressForwarder™ must be able to communicate with the Securolytics Cloud using the following IPs, protocols and ports.

Domain/Host
IP Address
Protocol
Port
apps.teknas.com
54.236.119.220
TCP (HTTPS)
443
logs.teknas.com
198.50.160.129
TCP (HTTPS)
443
forwarder.north-america.collect.securolytics.io
198.50.160.128/28
TCP (HTTPS)
443
forwarder.europe.collect.securolytics.io
92.222.231.128/28
TCP (HTTPS)
443

► Can the ExpressForwarder™ be configured to forward logs directly to my IoT Security Appliance instead of the Securolytics Cloud?
Yes. If your organization's security policy prohibits applications from communicating directly with the Internet, the ExpressForwarder™ can be manually configured to forward logs to your IoT Security Appliance located on the inside of your network.
These changes must be completed before the ExpressForwarder™ is installed.  If you have already installed the ExpressForwarder™, simply remove it, make the changes below, flush the Windows DNS cache (ipconfig /flushdns) and then re-install the ExpressForwarder™.
Also, please notify Securolytics Support or your Authorized Securolytics Partner before making this change so we can be prepared to assist with troubleshooting if necessary.
  1. Open a Windows Notepad as Administrator.
  2. Open the Windows "hosts" file in Notpad. (C:\Windows\System32\drivers\etc\hosts)
  3. Add the following (4) entries to the bottom of the file.  Replace [iotsa_ipaddress] with the actual IP Address of your IoT Security Appliance.

    [iotsa_ipaddress]    apps.teknas.com
    [iotsa_ipaddress]    logs.teknas.com
    [iotsa_ipaddress]    forwarder.north-america.collect.securolytics.io
    [iotsa_ipaddress]    forwarder.europe.collect.securolytics.io



► Does the ExpressForwarder™ encrypt all communication?
Yes.  During the installation a Securolytics signed SSL certificate is installed and used to encrypt all communication between your Windows server and Securolytics.

ExpressForwarder™ SSL Certificate

Common Name: logs.teknas.com
Valid From: September 21, 2015
Valid To: September 18, 2025
Serial Number: bed7f0f488159af1

-----BEGIN CERTIFICATE-----
MIIDBzCCAe+gAwIBAgIJAL7X8PSIFZrxMA0GCSqGSIb3DQEBBQUAMBoxGDAWBgNV
BAMMD2xvZ3MudGVrbmFzLmNvbTAeFw0xNTA5MjExMTI5NTlaFw0yNTA5MTgxMTI5
NTlaMBoxGDAWBgNVBAMMD2xvZ3MudGVrbmFzLmNvbTCCASIwDQYJKoZIhvcNAQEB
BQADggEPADCCAQoCggEBAK+B07NebWYc8m5i51WrPQq1rL+6AEm9tgu6DDquGyfx
RWGcLb3NDeRfEsVwesgZdIhc6NvxcIhwnLxoN9Jd9XTlon6u8t/xwxcCNLv07X1T
Fq4SEb/BFdzcxwPGn4pQjW0xlAIw6rEgqvRCUDBQdB7UKsuYbsLn7UIFWhClOp5m
cLR9DlNwAS7qLI6YiJR8S7ug5PQSNs8MvhiLr8tcquC27oUjH0hz8aRu7U+tbS6O
sBjZlWRl4r95pBcJmSOS+o+18V6HyXLT6hIpWzHDNQC39rvJT8cSLpW7qjbhF+ot
gmVOyu/FcZSDnqrPj/TeC6639te/Su3B3ULkxJWVznECAwEAAaNQME4wHQYDVR0O
BBYEFALxILqhHW3NvoKg/HUl8vMeAxwsMB8GA1UdIwQYMBaAFALxILqhHW3NvoKg
/HUl8vMeAxwsMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEFBQADggEBAE4NBxmN
SCqOodevqy8YwAJbhKuSvmNnduCd1fmLPWuAkVgDPwk5dy6gON7PTZ51Sb8pm0SH
Qbs4bU+Y/XKBu+dDKVxubDgSNfbKaNdzHfXxDkNvhBpetw7w3y/jbVN0eUPm8vAD
rJtnYRIa1pH1PCjcQH84P4sU6L5nr9uxnffSzd7FWsFbpPUMTGfdnw0BgjPb5oYq
SQQsFdWbbyhUPt0whS1XhiIWlInQpSzhyg9PYsrBe732cVLE8deEBflqvFsQ3Fc7
A53fC7DI5RzJaTba1gn753Wddpig6TIKjG2zOBSzHA1LKCPffgTH5D+3hGBdAsW8
gqGJbjtp8osNxms=
-----END CERTIFICATE-----